Daniel B. Garrie & Rebecca Wong, Demystifying Clickstream Data: a European and U.s. Perspective

• Citation: Vol. 20 No. 2
• Publication year: 2006

DEMYSTIFYING CLICKSTREAM DATA: A EUROPEAN AND U.S. PERSPECTIVE

Daniel B. Garrie^*

Rebecca Wong^**

INTRODUCTION

There has been much literature written on the subject of clickstream data.¹

However, very little has been discussed over the extent to which clickstream data is considered as "personal data" under European and U.S. law.²This Article considers the current European Union (EU) regulations governing clickstream data by examining the European Data Protection Directive

95/46/EC (DPD)³and the Directive on Privacy and Electronic

Communications 2002/58/EC (DPEC),⁴comparing these laws with the U.S. legal framework. In particular, this Article discusses the broad application of the DPD under Article 4 and the notion of "personal data" as defined under Article 2(a).⁵The implications of the DPD should not be underestimated because the DPD can have overreaching effects by applying to companies or organizations operating outside the European Economic Area ("EEA"), principally through Article 4(1)(c).⁶In addition, this Article surveys the applicable clickstream statutory regulatory frameworks by reviewing Title III of the 1968 Omnibus Crime Control and Safe Streets Act ("Wiretap Act") and its progeny.⁷This Article takes a critical approach to clickstream data by considering the current EU and U.S. regulatory frameworks for clickstream data and by analyzing the extent to which such data is protected.

I. WHAT IS CLICKSTEAM DATA?

The first question is what is clickstream data?⁸Clickstream data is defined as "the generic name given to the information a website can know about a user simply because the user has browsed the site."⁹Clickstream data is compiled from cookie based technology,¹⁰which websites began using in the mid-

1990s.¹¹Cookies are information packets transmitted from a server to an end- user's web browser and that are then retransmitted back to the server each time the browser accesses a server's webpage.¹²Cookies store information used for authentication, identification, or registration of an end-user to a web site, thereby enabling the end-user's web browser to maintain a relationship between the server and the end-user.¹³The use of cookie based technology enables companies to deliver user-specific solutions for each machine that accesses their web pages by placing electronic markers on end-user machines.¹⁴Collectively these cookie-driven markers create a trail of information commonly referred to as "clickstream data."15

Clickstream data and cookies can be found in most Internet driven commerce contexts, including those involving the employer-employee workplace and the Internet Service Provider (ISP)/online company and its users, particularly in the context of interactive marketing.

In its infancy, clickstream data was used to garner basic information from a web user,¹⁶such as the type of computer an individual used to access the Internet, the type of Internet browser utilized, or the identification of each site or page visited.¹⁷

As technology evolved, however, so did the scope of data encompassed by clickstream data.¹⁸For instance, today, when an individual discloses certain information during a visit to a website via his or her Personal Digital Assistant, cell phone, Blackberry, laptop computer, iPod, or desktop computer, it is possible that the website will be collecting clickstream data of a much more personal nature.¹⁹Clickstream data is used in part because web server technologies cannot store, sort, and render to a user the vast amounts of data required to deliver the respective web solutions to each individual user to a site or to authenticate a user.²⁰Thus, such websites can off-load information to the user's device where it is stored in text files called "cookies."²¹These cookies provide the website a mechanism that is able to collect or store data on the user's machine,²²thereby enabling the web site to record, track, monitor, and deliver dynamic content reflective of the data points stored on their machine.²³

The data mining industry and a majority of web portals and Internet companies would be severely limited, if not rendered useless, in the absence of clickstream data.²⁴Internet companies currently rely heavily on tracking clickstream data to profile user preferences in order to deliver customized services and advertisements to Internet users.²⁵Although it is possible for authentication processes to occur in a different manner, by requiring the users to affirmatively consent to monitoring of clickstream data, it is highly unlikely that fully informed end-users²⁶would interact with sites that track, monitor, and traffic in their personally identifiable information.²⁷

A. Employer/Employee Workplace

1. Europe

Software exists such that employers may monitor the web pages visited and Internet transactions executed by their employees.²⁸Although the employer has unchecked monitoring privileges in the United States, any covert monitoring by an employer would potentially violate the national data protection laws in Europe, unless employees have consented to such use.²⁹In the context of European data protection law, it is arguable that employees consent reluctantly to their employer monitoring their online behavior in the economic interest of the company. As Lee Kovarsky has stated:

That employers may monitor email and web surfing to promote productivity and protect against industrial espionage has become more of a fact of life than a controversy and employers would likely contract around any default rule to the contrary.³⁰

Taking an alternative view on employee monitoring, the Article 29 Working Party, an independent advisory body tasked to provide opinions on the DPD and the DPEC, has issued some guidelines on the surveillance of electronic communications in the workplace.³¹These guidelines aim to "contribute to the uniform application of the national measures adopted under the [DPD]" in surveillance and monitoring of electronic communications in the workplace.³²

The Working Party has taken the view that prevention should be more important than detection and that the interest of the employer is better served in preventing Internet misuse, rather than detecting such misuse.³³

These guidelines have been found to emphasize the following principles when monitoring e-mail and Internet use of employees within the borders of the EU:

ƒ Principle of necessity-the monitoring in question must be necessary for a specified purpose and should not be used if there are any less intrusive methods.³⁴

ƒ Principle of finality-data must be collected for a specified, explicit, and legitimate purpose and not further processed in a way incompatible with those purposes.

ƒ Principle of transparency-the employer must be clear and open about his activities. Unless covert monitoring falls within the exemptions laid down under Article 13³⁵of the DPD, such monitoring should not be permitted. This principle may also include the obligation to notify the relevant data protection authorities before personal data is processed.

ƒ Obligation to provide information about the data subject-in particular, workers should be provided with a readily accessible, clear, and accurate statement of the company's policy on e-mail and Internet monitoring. Data subjects also have the right to access the personal data processed by his or her employer.

ƒ Principle of legitimacy-in accordance with Article 7 of the DPD, or data protection laws transposing this provision, processing of personal data can only take place if it has a legitimate purpose.

ƒ Principle of proportionality-personal data must be adequate, relevant, and not excessive with regard to achieving the purpose specified. In other words, the monitoring must be proportional to the risks entailed by the employer.

ƒ Accuracy and retention of data-data stored by an employer consisting of data from or related to a worker's e-mail account or the worker's use of the Internet must be accurate and kept up to date and not kept for longer than necessary.

ƒ Security-in accordance with Article 17 of DPD, employers should ensure that appropriate technical and organizational measures are in place to ensure that any personal data held by the employer is secure and safe from outside intrusion.³⁶

Whilst these principles are helpful in guiding the employers over the general application of e-mail and Internet monitoring, employers and employees should nevertheless be educated about the collection of clickstream data and the ways in which it is used.

2. U.S. Law

The United States' courts have recognized an employer's right to monitor employees' e-mail messages and to use digital technologies to protect trade secrets.³⁷The U.S. courts have found employees do not have an objectively reasonable expectation of privacy when their employer has an e-mail policy informing them that their e-mail or Internet use may be monitored.³⁸For instance, the Fourth Circuit in United States v. Simons recognized that the employee has no expectation of privacy in clickstream data.³⁹Essentially, U.S. courts have reasoned employers have the right to invade employees' digital work spaces because employers have legitimate interests in all communications transmitted on their digital networks.⁴⁰

In monitoring employees, the vast majority of large employers use digital tracking technology.⁴¹Recently, the Washington Internet Daily released a survey finding that eighty percent of major U.S. companies record and review their employees' electronic communications or browser use.⁴²Sixty-seven percent of employers have disciplined at least one employee for improper or excessive use of e-mail or Internet access; thirty-one percent have fired employees for such conduct.⁴³A recent survey found that more than three- quarters of major U.S. corporations monitor employee activities, including telephone calls, e-mail, Internet communications, and computer files.⁴⁴In addition to the employer's ability to monitor employee digital transmissions, employers...